--- title: Migrating Oracle groups description: The following sections outline the procedures for migrating static groups to both Ping Identity static groups and virtual static groups as well as how to migrate dynamic groups. component: pingdirectory version: 11.0 page_id: pingdirectory:pingdirectory_server_administration_guide:pd_ds_migrate_oracle_groups canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_server_administration_guide/pd_ds_migrate_oracle_groups.html revdate: September 13, 2023 page_aliases: ["pd_ds_migrate_static_groups.adoc", "pd_ds_migrate_static_to_virtual_static_groups.adoc", "pd_ds_migrate_dynamic_groups.adoc"] section_ids: migrating-static-groups: Migrating static groups about-this-task: About this task steps: Steps example: Example: example-2: Example: next-steps: Next steps migrating-static-groups-to-virtual-static-groups: Migrating static groups to virtual static groups about-this-task-2: About this task steps-2: Steps example-3: Example: example-4: Example: example-5: Example: example-6: Example: result: Result: example-7: Example: migrating-dynamic-groups: Migrating dynamic groups about-this-task-3: About this task steps-3: Steps --- # Migrating Oracle groups The following sections outline the procedures for migrating static groups to both Ping Identity static groups and virtual static groups as well as how to migrate dynamic groups. You can migrate Oracle static and dynamic groups to PingDirectory server groups. For more information about the differences in access control evaluation between Oracle and the PingDirectoryserver, see [Migrating ACIs from Oracle to the PingDirectory server](../managing_access_control/pd_ds_migrate_acis_oracle_server.html). ## Migrating static groups ### About this task PingDirectory server supports static LDAP groups with structural object classes of `groupOfNames`, `groupOfUniqueNames`, or `groupOfEntries`. In general, you can import static groups without modification. You can enable a First-In, First-Out (FIFO) entry cache to cache group-to-user mappings, which improves performance when accessing large entries at the expense of greater memory consumption. PingDirectory server provides an out-of-the-box FIFO entry cache object for this purpose. You must enable this object using `dsconfig` as described in [Using the entry cache to improve the performance of large static groups](pd_ds_entry_cache_improve_performance_static_groups.html). To migrate static groups: ### Steps 1. To enumerate any schema differences between the DSEE deployment and the Ping Identity deployment, use the `migrate-ldap-schema` tool. 2. To enumerate any configuration differences between the DSEE deployment and the Ping Identity deployment, use the `migrate-sun-ds-config` tool. 3. Import or configure any necessary schema or configuration changes recorded by the tools in steps 1 and 2. 4. Import the existing users and groups using the `import-ldif` tool. 5. From the PingDirectory server root directory, open the `docs/sun-ds-compatibility.dsconfig` file using a text editor. 6. Go to the **FIFO Entry Cache** section. 1. Read the accompanying comments. 2. To enable the corresponding `dsconfig` command, delete the comment character ("#"). #### Example: ```shell $ bin/dsconfig set-entry-cache-prop \ --cache-name "Static Group Entry Cache" --set enabled:true ``` 7. To ensure that references to an entry are updated automatically when the entry is deleted or renamed, enable the Referential Integrity plugin. #### Example: ```shell $ bin/dsconfig set-plugin-prop --plugin-name "Referential Integrity" --set enabled:true ``` ### Next steps If the PingDirectory server is part of a replication topology, enable the Referential Integrity plugin for each replica. ## Migrating static groups to virtual static groups ### About this task In many cases, using virtual static groups in place of static groups can produce marked performance gains without having to update client applications. Migrating to virtual static groups varies depending on the original directory information tree (DIT), but the general approach involves identifying common membership traits for all members of each group and then expressing those traits in the form of an LDAP URL. For this task, consider the following: * The common membership trait for all members of the `All Users` group is the parent distinguish name (DN) `ou=People,dc=example,dc=com`. * In other cases, a common attribute might need to be used. For example, groups based on the location of its members could use the `l` location or `st` state attribute. * The common case of an `All Users` group, which contains all entries under the parent DN `ou=People,dc=example,dc=com`. * When implemented as a virtual static group, this group can have a large membership set without incurring the overhead of a static group. To migrate Oracle Directory Server Enterprise Edition static groups to virtual static groups: ### Steps 1. Create a dynamic group. #### Example: ``` dn: cn=Dynamic All Users,ou=Groups,dc=example,dc=com objectClass: top objectClass: groupOfURLs cn: Dynamic All Users memberURL: ldap:///ou=People,dc=example,dc=com??sub?(objectClass=person) ``` 2. Create a virtual static group that references the dynamic group. #### Example: ``` dn: cn=All Users,ou=Groups,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames objectClass: ds-virtual-static-group cn: All Users ds-target-group-dn: cn=Dynamic All Users,ou=Groups,dc=example,dc=com ``` 3. To populate the `All Users` group with `uniqueMember` virtual attributes, enable the `Virtual Static uniqueMember` virtual attribute. #### Example: ```shell $ bin/dsconfig set-virtual-attribute-prop --name "Virtual Static uniqueMember" \ --set enabled:true ``` 4. To confirm that the virtual static group is correctly configured, check a user's membership in the group. #### Example: ```shell $ bin/ldapsearch --baseDN "cn=All Users,ou=Groups,dc=example,dc=com" \ --searchScope base "(uniqueMember=uid=user.0,ou=People,dc=example,dc=com)" 1.1 ``` #### Result: ``` dn: cn=All Users,ou=Groups,dc=example,dc=com ``` 5. If a client application requires it, enable the ability to list all members of a virtual static group. By default, this feature is disabled. #### Example: ```shell $ bin/dsconfig set-virtual-attribute-prop --name "Virtual Static uniqueMember" \ --set allow-retrieving-membership: true ``` | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can implement the virtual static group using the `groupOfNames` object class instead of `groupOfUniqueNames`. To do this, update the `Virtual Static member` configuration object instead of the `Virtual Static uniqueMember` configuration object. | ## Migrating dynamic groups ### About this task The PingDirectory server supports dynamic groups with the `groupofURLs` object class. In general, you can import dynamic groups without modification. To migrate dynamic groups: ### Steps 1. To enumerate any schema differences between the Oracle Directory Server Enterprise Edition (DSEE) deployment and the Ping Identity deployment, run the `migrate-ldap-schema` tool. 2. To enumerate any configuration differences between the DSEE deployment and the Ping Identitiy deployment, run the `migrate-sun-ds-config` tool. 3. Import or configure any necessary schema and configuration changes recorded by the tools used in steps 1 and 2. 4. Import the existing users and groups using the `import-ldif` tool.